Multiple vulnerabilities expose DNS servers to denial of service and remote code execution attacks

The nonprofit organization Internet Systems Consortium (ISC) announced the release of several updates to BIND DNS software to fix multiple vulnerabilities that could be exploited to launch denial of service (DoS) attacks and even to exploit code remotely.

ISC released three security updates, including two regarding critical vulnerabilities fixed on April 28, although some organizations exposed to these flaws were reported privately and in advance. The most severe of these flaws was tracked as CVE-2021-25216 and is described as a buffer overflow that could lead to a server crash and even remote code execution. The flaw received a score of 8.1/10 according to the Common Vulnerability Scoring System (CVSS).

According to the report, only servers that use certain non-default configurations may be affected, although the organization suggests that the use of these configurations is relatively common. On the other hand, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert related to these flaws, recommending that organizations using affected deployments update as soon as possible.

Experts mention that this flaw is very similar to a vulnerability reported in early 2021 and fixed last February. Both flaws were reported to ISC through The Zero Day Initiative (ZDI).

Another reported flaw was tracked as CVE-2021-2515 and could be exploited remotely to cause the BIND name service process to terminate unexpectedly due to a failed verification, resulting in a DoS condition. This flaw can also be exploited remotely by unauthenticated threat actors.

Finally, updates fix a medium severity flaw that could be exploited for the deployment of DoS attacks; this flaw can only be exploited remotely on servers that accept zone transfers from a professional attacker. Experts mention that, so far, no attack attempts have been reported in real-world scenarios, although they recommend not ignoring updates.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.